W3cubDocs

/Ansible

google.cloud.gcp_secret_manager lookup – Get Secrets from Google Cloud as a Lookup plugin

Note

This lookup plugin is part of the google.cloud collection (version 1.7.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install google.cloud.

To use it in a playbook, specify: google.cloud.gcp_secret_manager.

Synopsis

  • retrieve secret keys in Secret Manager for use in playbooks
  • see https://cloud.google.com/iam/docs/service-account-creds for details on creating credentials for Google Cloud and the format of such credentials
  • once a secret value is retreived, it is returned decoded. It is up to the developer to maintain secrecy of this value once returned.
  • if location option is defined, then it deals with the regional secrets of the location

Keyword parameters

This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('google.cloud.gcp_secret_manager', key1=value1, key2=value2, ...) and query('google.cloud.gcp_secret_manager', key1=value1, key2=value2, ...)

Parameter

Comments

access_token

string

support for GCP Access Token

defaults to OS env variable GCP_ACCESS_TOKEN if not present

auth_kind

string

the type of authentication to use with Google Cloud (i.e. serviceaccount or machineaccount)

defaults to OS env variable GCP_AUTH_KIND if not present

key

aliases: name, secret, secret_id

string / required

the name of the secret to look up in Secret Manager

location

string

If provided, it defines the location of the regional secret.

on_error

string

how to handle errors

strict means raise an exception

warn means warn, and return none

ignore means just return none

Choices:

  • "strict" ← (default)
  • "warn"
  • "ignore"

project

string

The name of the google cloud project

defaults to OS env variable GCP_PROJECT if not present

scopes

list / elements=string

Authenticaiton scopes for Google Secret Manager

Default: ["https://www.googleapis.com/auth/cloud-platform"]

service_account_email

string

email associated with the service account

defaults to OS env variable GCP_SERVICE_ACCOUNT_EMAIL if not present

service_account_file

string

JSON Credential file obtained from Google Cloud

defaults to OS env variable GCP_SERVICE_ACCOUNT_FILE if not present

see https://cloud.google.com/iam/docs/service-account-creds for details

service_account_info

string

JSON Object representing the contents of a service_account_file obtained from Google Cloud

defaults to OS env variable GCP_SERVICE_ACCOUNT_INFO if not present

version

string

the version name of your secret to retrieve

Default: "latest"

Examples

- name: Test secret using env variables for credentials
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key') }}"

- name: Test secret using explicit credentials
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', project='project', auth_kind='serviceaccount', service_account_file='file.json') }}"

- name: Test getting specific version of a secret (old version)
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', version='1') }}"

- name: Test getting specific version of a secret (new version)
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', version='2') }}"

- name: Test regional secret using env variables for credentials
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1') }}"

- name: Test regional secret using explicit credentials
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1', project='project', auth_kind='serviceaccount',
                    service_account_file='file.json') }}"

- name: Test getting specific version of a regional secret (old version)
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1', version='1') }}"

- name: Test getting specific version of a regional secret (new version)
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1', version='2') }}"

Return Value

Key

Description

Return value

list / elements=string

the contents of the secret requested (please use “no_log” to not expose this secret)

Returned: success

Authors

  • Google Inc. (@googlecloudplatform)

© 2012–2018 Michael DeHaan
© 2018–2025 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_secret_manager_lookup.html